Cybersecurity researchers have detailed two security flaws in the JavaScript-based blogging platform known as Ghost. One of them could be exploited to elevate privileges via a specially crafted HTTP request.
Ghost is an open source blogging platform used by over 52,600 live websites, mostly in the US, UK, Germany, China, France, Canada, and India.
An authentication bypass vulnerability, tracked as CVE-2022-41654 (CVSS score: 9.6), allows an unauthorized user (i.e. member) to tamper with newsletter settings.
Discovering this shortcoming, Cisco Talos says it may allow members to change the system-wide default newsletter that all users are subscribed to by default.
Even worse, a site administrator could abuse the ability to inject JavaScript into newsletters by default, triggering the creation of arbitrary administrator accounts when trying to edit the newsletter.
In an advisory published on November 28, 2022, Ghost said: .”
The CMS platform blamed a “gap” in API validation, adding that it found no evidence that the issue was being exploited in the wild.
Ghost has also patched an enumeration vulnerability in the login functionality (CVE-2022-41697, CVSS score: 5.3) that could lead to the disclosure of sensitive information.
According to Talos, an attacker could exploit this vulnerability to enumerate all valid Ghost users by providing their email address, which could then be used to narrowly target the next stage of a phishing attack. There is a nature.
This flaw has been addressed in the Ghost (Pro) managed hosting service, but if you self-host the service and are running versions 4.46.0 through 4.48.7, or any version of v5 through 5.22.6 Users update to versions 4.48.8 and 5.22.7.
(Story updated with fixed CVSS score for CVE-2022-41654 based on advisory issued by Cisco Talos.)
